Skip a Transform Rule execution of a Worker sub request

Hey,
=== EDITED ===

I’m trying to avoid a Transform Rule from being executed (on the second time) when a sub request is executed by a Worker

Unfortunately it seems like the cf.worker.upstream_zone is not available in the Transform Rules Filters (according to that - Available fields and functions in rewrite URL rules · Cloudflare Rules docs)

The error i get -
is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed (Code: 20127)

Though it is probably not the best practice I was trying to rely on the headers, as they are available in the Filters - i was trying to refer the CF-Worker header, but it doesn’t seem to work either
I tried -
not(any(http.request.headers.names[*] == "CF-Worker"))
and also
not(any(http.request.headers["cf-worker"][*] matches "^.+$"))

Probably because according to the docs (Cloudflare HTTP request headers · Cloudflare Fundamentals docs) it seems like when using rules (they specifically mention WAF rules, but I think it behaves the same here) the CF-Worker header is not set yet and they actually refer to use the cf.worker.upstream_zone parameter

Any ideas how to overcome this?

Hi,

In your filter expression, try to add this:

and not starts_with(http.request.uri.path, "/v1")

Hi @cbrandt
Thanks :slight_smile:

It works, but doesn’t feel robust enough, i’m looking for a more “native” solution for that

Why?

What do you mean?

Because it works in this specific use case, but let’s assume i had some regex based replacement - it would be much more complex to implement the filter
A much more native solution will be for example to skip the Transform Rule when the request is made by a worker, so I’m looking for a way to filter it based on the way the request has made (for example localhost Source IP, or something similar), unfortunately the things i’ve tried up until now didn’t work

Thanks for clarifying.

You may want to have a look at the field cf.worker.upstream_zone.

Identifies whether a request comes from a worker or not.
When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise cf.worker.upstream_zone is empty.
Source: Fields reference · Cloudflare Ruleset Engine docs

Hey,
Thanks! :slight_smile: that exactly what I was looking for

Unfortunately it seems like the cf.worker.upstream_zone is not available in the Transform Rules Filters (according to that - Available fields and functions in rewrite URL rules · Cloudflare Rules docs)

The error i get -
is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed (Code: 20127)

Though it is probably not the best practice I was trying to rely on the headers, as they are available in the Filters - i was trying to refer the CF-Worker header, but it doesn’t seem to work either
I tried -
not(any(http.request.headers.names[*] == "CF-Worker"))
and also
not(any(http.request.headers["cf-worker"][*] matches "^.+$"))

Probably because according to the docs (Cloudflare HTTP request headers · Cloudflare Fundamentals docs) it seems like when using rules (they specifically mention WAF rules, but I think it behaves the same here) the CF-Worker header is not set yet and they actually refer to use the cf.worker.upstream_zone parameter

Do you have any ideas?
It seems like the only way to overcome that is to use the not starts_with and specifically adjust the Filters for every rule we have

Hi,

As far as Transform Rules go, this worked with me:

http.request.uri.path contains "/teste/"
and not (http.request.headers["cf-worker"][0] eq "example.com")

image

The headers A-Request and A-Workers are added by the Worker itself, so the rewrite is working without adding the path element twice (or multiple times), as would have been the case since the first condition uses the operator "contains’ and both URLs do contain “/teste/”.

However, it only works because my test worker has as a path /v1/teste/ and the request was made to /teste/. If I visit /v1/teste/ directly, it adds another /v1 before it sends the request to the Worker.

So it all depends on how you set up the paths and routes in your installation. Depending on the complexity of it, you may want to add the rewrite logic to the worker itself.

1 Like

Thanks @cbrandt , you helped me a lot :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.